Florida Administrative Code (Last Updated: November 11, 2024) |
1. Department of State |
1B. Division of Library and Information Services |
1B-26. Records Management - Standards And Requirements |
1(1) These rules provide standards for record copies of public records which reside in electronic form. These requirements must be incorporated in the system design and implementation of new systems and enhancements to existing systems in which electronic records reside. Public records are those as defined by Section 49119.011(12), F.S.
51(2) These rules are applicable to all agencies as defined by Section 63119.011(2), F.S., 65and establish minimum requirements for the creation, utilization, maintenance, retention, preservation, storage and disposition of electronic record copies, regardless of the media.
87(3) Electronic recordkeeping systems and practices in use at the effective date of this rule that are not in compliance with the requirements of this rule may be used until the systems or practices are replaced or upgraded. New and upgraded electronic recordkeeping systems and practices created or implemented after the effective date of this rule shall comply with the requirements contained herein. If an agency cannot practicably achieve compliance with this section in relation to an upgraded system, the agency shall document the reason why it cannot do so.
177(4) For the purpose of these rules:
184(a) “Checksum” means a hashing algorithm or procedure for checking that electronic records have not been altered by transforming a string of characters into a usually shorter fixed-length “hash value” or key that represents the original string.
221(b) “Database” means an organized collection of automated information.
230(c) “Database management system” means a set of software programs that controls the organization, storage and retrieval of data (fields, records and files) in a database. It also controls the security and integrity of the database.
266(d) “Digital signature” means a type of electronic signature (any letters, characters, or symbols executed with an intent to authenticate) that can be used to authenticate the identity of the sender of a message or the signer of a document and to ensure that the original content of the message or document that has been sent is unchanged. Digital signatures can be created through checksums.
331(e) “Electronic record” means any information that is recorded in machine readable form.
344(f) “Electronic recordkeeping system” means an automated information system for the organized collection, processing, transmission and dissemination of information in accordance with defined procedures.
368(g) “Logical access controls” means those administrative controls and permissions allowing or limiting user access to a system’s records and resources.
389(h) “Metadata” means 392structured or semi-structured data about records that enables identification, access, use, understanding and preservation of those records over time.
411(i) “System design” means the design of the nature and content of input, files, procedures and output, and their interrelationships.
431(j) “Permanent or long-term records” means any public records as defined by Section 444119.011(12), F.S., 446which have an established retention period of more than 10 years.
457(k) “PPI” means pixels per inch and is the measurement of digital pixels on a screen or file.
475(l) “Record copy” means public records specifically designated by the custodian as the official record.
490(m) “Geographic information system” means a computer system for capturing, storing, checking, integrating, manipulating, analyzing and displaying data related to positions on the Earth’s surface.
515(n) “Open format” means a data format that is defined in complete detail, allows transformation of the data to other formats without loss of information, and is open and available to the public free of legal restrictions on use.
554(o) “Unicode” means the universal character encoding standard maintained by the Unicode Consortium, providing the basis for processing, storage, and interchange of text data in any language in all modern software and information technology protocols.
589(5) Agencies shall develop and maintain adequate and up-to-date technical and descriptive documentation for each electronic recordkeeping system to specify characteristics necessary for reading or processing the records. Documentation for electronic records systems shall be maintained in electronic or printed form as necessary to ensure access to the records. The minimum documentation required is:
643(a) A narrative description of the system, including all inputs and outputs of the system; the organization and contents of the files and records; policies on access and use; security controls; purpose and function of the system; update cycles or conditions and rules for adding information to the system, changing information in it, or deleting information; and the location and media in which electronic records are maintained and their retention requirements to ensure appropriate disposition of records in accordance with Chapter 1B-24, F.A.C.
726(b) The physical and technical characteristics of the records, including:
7361. A record layout or markup language that describes each file or field including its name, size, starting or relative position, and description of the form of the data (such as alphabetic, decimal or numeric), or
7722. A data dictionary or the equivalent information associated with a database management system including a description of the relationship between data elements in databases;
797(c) For information coming from geographic information systems, the physical and technical characteristics of the records must be described including a data dictionary, a quality and accuracy report and a description of the graphic data structure, such as recommended by the federal Spatial Data Transfer Standards; and,
844(d) Any other technical information needed to read or process the records.
856(6) Electronic recordkeeping systems that maintain record copies of public records on electronic media shall meet the following minimum requirements:
876(a)1. Provide a method for all authorized users of the system to retrieve desired records;
8912. Provide an appropriate level of security to ensure the integrity of the records in accordance with the requirements of Chapter 282, F.S. Security controls should include, at a minimum, physical and logical access controls, backup and recovery procedures, and training for custodians and users. Automated methods for integrity checking should be incorporated in all systems that generate and use official file copies of records. Checksums and digital signatures should be considered for all official file copies of electronic records. The use of automated integrity controls, such as checksums and digital signatures, can reduce the need for other security controls. Checksums used to protect the integrity of official file copies of records should meet the requirements of U.S. Federal Information Processing Standards Publication 180-4 (FIPS-PUB 180-4) (August 4, 2015) entitled “Secure Hash Standard (SHS),” 1026https://www.flrules.org/Gateway/reference.asp?No=Ref-13888 1028which is hereby incorporated by reference, and made a part of this rule. This publication is available from the National Institute of Standards and Technology, U.S. Department of Commerce, 100 Bureau Drive, Gaithersburg, MD 20899, and at the Internet Uniform 1068Resource Locator: https://csrc.nist.gov/publications/detail/fips/180-4/final.
10713. Identify the open format or standard interchange format when necessary to permit the exchange of records on electronic media between agency electronic recordkeeping systems using different software/operating systems and the conversion or migration of records on electronic media from one system to another.
11154. Provide for the disposition of the records including, when appropriate, transfer to the Florida State Archives.
1132(b) Before a record copy is created on an electronic recordkeeping system, the record shall be uniquely identified to enable authorized personnel to retrieve, protect, and carry out the disposition of records in the system. Agencies shall ensure that records maintained in such systems can be correlated with any existing related records on paper, microfilm or other media.
1190(c) Systems or programs used to create, store or access record copies of electronic records must capture structural, descriptive, administrative and technical metadata standard to the system or program employed and must generate additional metadata whenever a record is moved within the system or migrated to another format or storage medium.
1241(7) Agencies shall implement the following procedures to enhance the legal admissibility of electronic records:
1256(a) Document that similar kinds of records generated and stored electronically are created by the same processes each time and have a standardized retrieval approach.
1281(b) Substantiate that security procedures prevent unauthorized addition, modification, or deletion of a record and ensure systems are protected against such problems as power interruptions.
1306(c) Identify the electronic media on which records are stored throughout their life cycle, the maximum time span that records remain on each storage media, and the official retention requirements as approved by the Division of Library and Information Services.
1346(d) 1347Professional engineer drawings and documents: Maintain in unaltered form a record copy of any and all documents signed, dated and sealed by a professional engineer prior to or upon submission to the agency. The record copy of signed, dated and sealed documents must be retained in unaltered form for the duration of the record’s retention period. This provision does not prohibit agencies from scanning the unaltered document and maintaining the scanned copy as the record copy.
1423(e) State agencies shall, and other agencies are encouraged to, establish and maintain integrity controls for record copies of electronic records in accordance with the requirements of Chapter 282, F.S.
1453(8) For storing record copies of electronic public records throughout their life cycle, agencies shall select appropriate media and systems which meet the following requirements:
1478(a) Permit easy and accurate retrieval in a timely fashion;
1488(b) Retain the records in a usable format until their authorized disposition and, when appropriate, meet the requirements necessary for transfer to the Florida State Archives.
1514(c) Agencies shall not use the following for the storage of record copies of permanent or long-term records:
15321. Flash memory media (such as thumb drives, SD cards, CF cards, micro-SD cards);
15462. Audio cassette tape;
15503. VHS video cassette tape;
15554. Floppy disks.
1558(d) Permanent or long-term records may be stored using one or more of the following methods:
15741. Hard drive, preferably high-reliability, solid-state drive (SSD); spinning hard disk drive (HDD) is also acceptable;
15902. Optical disc, preferably write-once discs with an inert dye layer;
16013. Polyester-based magnetic data tape;
16064. Cloud storage, preferably high-reliability, web-based storage services.
1614(e) Standard. A scanning density with a minimum of 300 PPI is required for scanned images created by the agency from hard copy permanent or long-term records.
1641(f) Record copies of scanned images created by the agency from hard copy permanent or long-term records must be stored in accordance with a published International Organization for Standardization (ISO) open standard image format.
1675(g) The following factors are to be considered before selecting a storage media or converting from one media to another:
16951. The authorized retention of the records as determined during the scheduling process;
17082. The maintenance necessary to retain the records;
17163. The cost of storing and retrieving the records;
17254. The access time to retrieve stored records;
17335. The portability of the medium (that is, selecting a medium that can be read by equipment offered by multiple manufacturers); and,
17556. The ability to transfer the information from one medium to another, such as from optical disk to magnetic tape.
1775(9)(a) Agencies shall back up electronic records on a regular basis to safeguard against the loss of information due to equipment malfunctions, human error or other disaster. Additional backups are strongly recommended for permanent and long-term records. Backups created for disaster recovery purposes, and all preservation duplicates of permanent or long-term records, shall be maintained in an off-site storage facility, which may include cloud storage, geographically separated from the risks associated with the agency’s location. The storage environment must be maintained at constant temperature (below 68 degrees Fahrenheit) and relative humidity (30 to 45 percent) levels. Storage and handling of permanent or long-term records on magnetic tape shall conform to the standards contained in Standard AES22-1997 (r2008) “AES recommended practice for audio preservation and restoration – Storage and handling – Storage of polyester-base magnetic tape” 1910https://www.flrules.org/Gateway/reference.asp?No=Ref-13889 1912(published 1997, reaffirmed 2003 and 2008, stabilized 2012) which is hereby incorporated by reference and made a part of this rule. This publication is available from the Audio Engineering Society, Incorporated at the Internet Uniform Resource Locator: 1949https://www.aes.org/publications/standards/search.cfm?docID=25. 1951If an agency cannot practicably maintain backups and preservation duplicates as required in this section, the agency shall document the reasons why it cannot do so. Other electronic records media should be stored in a cool, dry, dark environment when possible (maximum temperature 73 degrees Fahrenheit, relative humidity 20-50 percent).
2001(b) Agencies shall annually read a statistical sample of all electronic media containing permanent or long-term records to identify any loss of information and to discover and correct the cause of data loss.
2034(c) Agencies shall conduct data integrity testing on all media containing permanent or long-term electronic records at least every 10 years and verify that the media are free of permanent errors. More frequent testing (e.g. at least every 5 years) is highly recommended. If a checksum was previously run on the digital media, testing can be conducted by running the same checksum.
2096(d) Agencies shall rewind tape reels immediately before use to restore proper tension, or at a minimum every three years. When tapes with extreme cases of degradation are discovered, they should be rewound to avoid more permanent damage and copied to new media as soon as possible. Tapes shall be played continuously from end to end to ensure even packing. Tapes shall be stored so that the tape is all on one reel or hub. The requirement for rewinding does not apply to tape cartridges.
2181(e) External labels (or the equivalent automated management system) for electronic recording media used to store permanent or long-term records shall provide unique identification for each storage media, including:
22101. The name of the organizational unit responsible for the data;
22212. System title, including the version number of the application;
22313. Special security requirements or restrictions on access, if any; and,
22424. Software in use at the time of creation.
2251(f) Standard. 2253F2254or all media used to store permanent or long-term electronic records, agencies shall maintain human readable information specifying recording methods, formats, languages, dependencies and schema sufficient to ensure continued access to, and intellectual control over, the records. Additionally, the following information shall be maintained for each media used to store permanent or long-term electronic records:
23091. File title;
23122. Dates of creation;
23163. Dates of coverage; and,
23214. Character code/software dependency.
2325(g) Electronic records storage media shall not be stored closer than 6 feet to sources of magnetic fields, including generators, elevators, transformers, loudspeakers, microphones, headphones, magnetic cabinet latches and magnetized tools.
2356(h) Electronic records on magnetic tape or disk shall not be stored in metal containers unless the metal is non-magnetic. Storage containers shall be resistant to impact, dust intrusion and moisture. Compact disks shall be stored in hard cases, and not in cardboard, paper or flimsy sleeves.
2403(i) Agencies shall ensure that record copies of electronic records are maintained by personnel properly trained in the use and handling of the records and associated equipment.
2430(j) Agencies shall establish and adopt procedures for external labeling of physical storage media and for descriptive file naming and/or labeling of electronic files and directories so that all authorized users can identify and retrieve the stored information.
2468(k) Agencies shall convert storage media to provide compatibility with the agency’s current hardware and software to ensure that information is not lost due to changing technology or deterioration of storage media. Before conversion of information to different media, agencies must determine that authorized disposition of the electronic records can be implemented after conversion. Permanent or long-term electronic records shall be transferred to new media compliant with this rule as needed to prevent loss of information due to changing technology or deterioration of storage media.
2553(10) Each agency is responsible for ensuring the continued accessibility and readability of public records throughout the entire life cycle regardless of the format or media in which the records are maintained.
2585Agencies shall establish policies and procedures to ensure that electronic records and their documentation are retained and accessible as long as needed. These procedures shall include provisions for:
2613(a) Scheduling the retention and disposition of all electronic records, as well as related access documentation and indexes, in accordance with the provisions of Chapter 1B-24, F.A.C.
2640(b) Establishing procedures for regular recopying, reformatting and other necessary maintenance to ensure the retention and usability of the electronic records throughout their authorized life cycle.
2666(c) Transferring a copy of the electronic records and any related documentation and indexes to the Florida State Archives at the time specified in the records retention schedule, if applicable. Transfer may take place at an earlier date if convenient for both the agency and the Archives.
2713(11) Electronic records may be destroyed only in accordance with the provisions of Chapter 1B-24, F.A.C.
2729Rulemaking Authority 2731257.14, 2732257.36(1), 2733257.36(6) FS. 2735Law Implemented 2737257.36(1)(a) FS. 2739History–New 8-16-92, Amended 5-13-03, 5-21-08, 12-6-21.